chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates by dependabot[bot] · Pull Request #21 · astack-tech/astack

dependabot · 2026-03-11T01:23:24Z

Bumps the npm_and_yarn group with 2 updates in the /examples/agent-in-aws-bedrock-agent-core directory: @hono/node-server and hono.
Bumps the npm_and_yarn group with 1 update in the /examples/serve-astack directory: fastify.

Updates @hono/node-server from 1.19.6 to 1.19.10

Release notes

Sourced from @hono/node-server's releases.

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

fix(globals): Stop overwriting global.fetch by @usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

docs: add guide for listening to UNIX domain socket by @TransparentLC in honojs/node-server#292

fix(serve-static): Use Readable.toWeb in serveStatic by @otya128 in honojs/node-server#293

New Contributors

@TransparentLC made their first contribution in honojs/node-server#292

@otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @tshmieldev in honojs/node-server#290

chore: add configVersion to bun.lock by @yusukebe in honojs/node-server#291

New Contributors

@tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

Commits

2f8ca36 1.19.10
455015b Merge commit from fork
cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
b1daa4c docs(readme): add @usualoma as an author (#300)
26f5e89 1.19.9
2d729e7 fix(globals): Stop overwriting global.fetch (#295)
9b72ddf 1.19.8
0b1229e fix(serve-static): Use Readable.toWeb in serveStatic (#293)
76d80e6 docs: add guide for listening to UNIX domain socket (#292)
Additional commits viewable in compare view

Updates hono from 4.10.7 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
d69deb8 chore(builld): tsconfig project references (#4797)
8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
Additional commits viewable in compare view

Updates fastify from 5.6.1 to 5.8.1

Release notes

Sourced from fastify's releases.

v5.8.1

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

What's Changed

docs(request): add host security warning references by @mcollina in fastify/fastify#6476

docs: fix note style by @Fdawgs in fastify/fastify#6487

chore: rename deploy website ci by @Eomm in fastify/fastify#6492

chore: support pino v9 and v10 by @mcollina in fastify/fastify#6496

chore: update logger types and fix TODO comment by @Tony133 in fastify/fastify#6470

refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @Tony133 in fastify/fastify#6472

docs: fix markdown typo in README.md by @droppingbeans in fastify/fastify#6491

test: cover non-numeric content-length client error path by @mcollina in fastify/fastify#6500

ci: remove tests-checker workflow by @Tony133 in fastify/fastify#6481

ci: remove stale.yml file by @Tony133 in fastify/fastify#6504

docs(security): remove hackerone references; change note style by @Fdawgs in fastify/fastify#6501

chore: rename @sinclair/typebox to typebox by @Tony133 in fastify/fastify#6494

ci(links-check): add external link checker using linkinator-action by @umxr in fastify/fastify#6386

chore: upgrade borp to v1.0.0 by @Tony133 in fastify/fastify#6510

docs: Add OpenJS CNA reference to SECURITY.md by @mcollina in fastify/fastify#6516

fix: avoid mutating shared routerOptions across instances by @mcollina in fastify/fastify#6515

fix(types): accept async route hooks in shorthand options by @mcollina in fastify/fastify#6514

docs: Improve shutdown lifecycle documentation by @kibertoad in fastify/fastify#6517

chore: remove unused tsconfig.eslint.json by @mrazauskas in fastify/fastify#6524

feat: First-class support for handler-level timeouts by @kibertoad in fastify/fastify#6521

docs(security): clarify insecureHTTPParser threat model scope by @mcollina in fastify/fastify#6533

chore(license): standardise license notice by @Fdawgs in fastify/fastify#6511

docs: clarify anyOf nullable coercion behavior with primitive types by @slegarraga in fastify/fastify#6531

fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @super-mcgin in fastify/fastify#6528

docs(reference/hooks): fix note style by @Fdawgs in fastify/fastify#6538

chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @dependabot[bot] in fastify/fastify#6539

chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in fastify/fastify#6540

chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @dependabot[bot] in fastify/fastify#6542

ci: remove broken links and add ecosystem link validator by @mcollina in fastify/fastify#6421

ci(validate-ecoystem-links): add job level permission by @Fdawgs in fastify/fastify#6545

style: remove trailing whitespace by @Fdawgs in fastify/fastify#6543

New Contributors

@droppingbeans made their first contribution in fastify/fastify#6491

@umxr made their first contribution in fastify/fastify#6386

@slegarraga made their first contribution in fastify/fastify#6531

@super-mcgin made their first contribution in fastify/fastify#6528

Full Changelog: fastify/fastify@v5.7.4...v5.8.0

... (truncated)

Commits

073ff81 Bumped v5.8.1
67f6c9b Merge commit from fork
161578a chore: sync version
9b06a78 Bumped v5.8.0
bbdfe82 style: remove trailing whitespace (#6543)
cd58ed4 ci(validate-ecoystem-links): add job level permission (#6545)
2590592 ci: remove broken links and add ecosystem link validator (#6421)
09b55b6 chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 (#6542)
43c4e38 chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 (#6540)
3b40573 chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 (#6539)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates Bumps the npm_and_yarn group with 2 updates in the /examples/agent-in-aws-bedrock-agent-core directory: [@hono/node-server](https://github.com/honojs/node-server) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 1 update in the /examples/serve-astack directory: [fastify](https://github.com/fastify/fastify). Updates `@hono/node-server` from 1.19.6 to 1.19.10 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.6...v1.19.10) Updates `hono` from 4.10.7 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.10.7...v4.12.7) Updates `fastify` from 5.6.1 to 5.8.1 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.6.1...v5.8.1) --- updated-dependencies: - dependency-name: "@hono/node-server" dependency-version: 1.19.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: fastify dependency-version: 5.8.1 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-03-11T01:23:26Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
astack	Ready	Preview, Comment	Mar 11, 2026 1:24am

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 11, 2026

vercel bot deployed to Preview March 11, 2026 01:24 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates#21

chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates#21
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/examples/agent-in-aws-bedrock-agent-core/npm_and_yarn-ea72b1849e

dependabot bot commented on behalf of github Mar 11, 2026

Uh oh!

vercel bot commented Mar 11, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 11, 2026

v1.19.10

Security Fix

v1.19.9

What's Changed

v1.19.8

What's Changed

New Contributors

v1.19.7

What's Changed

New Contributors

v4.12.7

Security hardening

v4.12.6

What's Changed

New Contributors

v4.12.5

What's Changed

New Contributors

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

v5.8.1

⚠️ Security Release

v5.8.0

What's Changed

New Contributors

Uh oh!

vercel bot commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Cookie Attribute Injection in `setCookie()`

vercel bot commented Mar 11, 2026 •

edited

Loading